On 18. 12. 6., Jung-uk Kim wrote: > On 18. 12. 6., John Nielsen wrote: >>> On Dec 6, 2018, at 4:04 PM, Xin LI <delp...@gmail.com> wrote: >>> >>> On Thu, Dec 6, 2018 at 11:37 AM John Nielsen <li...@jnielsen.net> wrote: >>>> >>>> I have upgraded two physical machines from 11-STABLE to 12-STABLE recently >>>> (one is 12.0-PRERELEASE r341380 and the other is 12.0-PRERELEASE r341391). >>>> I noticed today that neither machine seems to be utilizing /dev/crypto. >>>> Typically I see at least ssh/sshd have the device open plus some programs >>>> from ports. But 'fuser' doesn't list any processes on either machine: >>>> >>>> # fuser /dev/crypto >>>> /dev/crypto: >>>> >>>> Both machines are running custom kernels that include "device crypto" and >>>> "device cryptodev". One of them additionally has "device aesni". >>>> >>>> Is anyone else seeing this? Any idea what would cause it? >>> >>> Your average OpenSSL applications should not use /dev/crypto, if your >>> goal is to utilize AES-NI (which does not require /dev/crypto). On >>> capable systems, AES-NI would be used automatically (and it's faster >>> this way). >> >> Thanks for the response. Is there a way to verify that AES-NI is being used >> for e.g. ssh? >> I'm also curious why/when/how the change to not use (or support?) >> /dev/crypto from base >> openssl was made. > > OpenSSL 1.1.1 removed the old cryptodev: > > https://svnweb.freebsd.org/base/vendor-crypto/openssl/dist/CHANGES?revision=340690&view=markup#l400 > > Instead, OpenSSL added devcrypto engine for Linux: > > https://github.com/openssl/openssl/commit/619eb33 > > and added BSD support: > > https://github.com/openssl/openssl/commit/4f79aff > > then, completely removed BSD-specific cryptodev: > > https://github.com/openssl/openssl/commit/f39a550 > > However, it is disabled by default. Theoretically, it is functionally > equivalent but it wasn't tested much. > > I can enable the new engine on head if many users request it.
FYI, the attached patch should enable the new engine. Jung-uk Kim
Index: secure/lib/libcrypto/Makefile
===================================================================
--- secure/lib/libcrypto/Makefile (revision 341666)
+++ secure/lib/libcrypto/Makefile (working copy)
@@ -192,8 +192,8 @@ SRCS+= ecp_nistz256-x86.S ecp_nistz256.c
.endif
# engine
-SRCS+= eng_all.c eng_cnf.c eng_ctrl.c eng_dyn.c eng_err.c eng_fat.c
-SRCS+= eng_init.c eng_lib.c eng_list.c eng_openssl.c eng_pkey.c
+SRCS+= eng_all.c eng_cnf.c eng_ctrl.c eng_devcrypto.c eng_dyn.c eng_err.c
+SRCS+= eng_fat.c eng_init.c eng_lib.c eng_list.c eng_openssl.c eng_pkey.c
SRCS+= eng_rdrand.c eng_table.c tb_asnmth.c tb_cipher.c tb_dh.c tb_digest.c
SRCS+= tb_dsa.c tb_eckey.c tb_pkmeth.c tb_rand.c tb_rsa.c
Index: secure/lib/libcrypto/opensslconf.h.in
===================================================================
--- secure/lib/libcrypto/opensslconf.h.in (revision 341666)
+++ secure/lib/libcrypto/opensslconf.h.in (working copy)
@@ -46,9 +46,6 @@ extern "C" {
#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
# define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
#endif
-#ifndef OPENSSL_NO_DEVCRYPTOENG
-# define OPENSSL_NO_DEVCRYPTOENG
-#endif
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
# define OPENSSL_NO_EC_NISTP_64_GCC_128
#endif
signature.asc
Description: OpenPGP digital signature
